In January 2020, the Information Commissioner’s Office (ICO) fined DSG Retail Limited half a million pounds for “systemic failures” in the way it safeguarded its customers’ personal data*. As a result of this lack of care, an attacker was able to install malware on 5,390 cash registers at Dixons Travel and Currys PC World stores – putting at least 14 million people at risk. What’s more, the ICO’s investigation into the Dixons data breach found that it was not just people who made purchases at these stores during the breach period who were affected.
The data stolen also included details of people who had either service plans, or who had made finance purchase enquiries before the breach occurred. The company stored data on those transactions to include both passed and failed credit checks, and over two million of those records were accessed and obtained by the hackers. So, if you made or attempted to make a purchase with the Dixons Group from 2015 onwards, your details could have been taken.
So, just how bad were the Currys PC World/Dixons Travel security processes? Here’s a list of what the ICO found during its investigation into the data breach.
* This fine was later reduced on appeal
The company’s network segregation was insufficient
At the time of the incident, Dixons’ Point of Sale (POS) system was not segregated from the broader corporate network. If sufficient internal network segmentation had been in place, this could have contained the compromise to a particular section of the network. And it is not as if the business wasn’t warned. The company used Microsoft operating systems for its POS systems, and guidance published by Microsoft in 2014 suggested that organisations implement a security boundary between systems.
There was no local firewall configured on the POS terminals
If a local firewall had been in place, this could have prevented unauthorised access to the POS system, and the illegal movement of customer data.
The business did have firewalls enabled and running on its wider system, and the company argued that the presence of a local firewall would not have averted this attack because the attacker had domain admin-level access and so could have reconfigured the rules. However, the ICO felt that, just because the attacker could have done this, that did not make the control any less appropriate. It argued that the hack would have been more challenging had a local firewall been in place, and this would have increased the likelihood of detection.
The company’s approach to software patching was inadequate
Evidence provided by Currys PC World/Dixons Travel in its defence confirmed that its POS terminals were not compliant with its own patching policy at the time of the hack.
In this case, it is suspected the attacker exploited an unpatched vulnerability. This was a known vulnerability that Microsoft released a patch for in 2014. The business did not fully implement this patch which meant that the vulnerability remained exploitable for four years. During this time, the hacker was able to compromise personal data held on the POS terminals.
Also, the investigation uncovered that there were multiple instances of missing patches in some of the POS terminals.
Vulnerability scanning was not performed regularly
The ICO’s investigation also revealed that vulnerability scanning of the compromised environment was not performed habitually. Had this been done, the company would have been able to identify weaknesses in its network and fix them before it was compromised.
The business failed to manage application whitelisting
Whitelisting protects computers and networks from potentially harmful applications. However, Currys PC World/Dixons Travel failed to correctly manage application whitelisting across its full fleet of POS terminals. In fact, only one out of two terminals were correctly configured with application control.
In its defence, Currys PC World/Dixons Travel argued that the hacker would likely have been able to surpass its whitelist blocking mechanisms, even if they had been in place. However, here again, the ICO found that application whitelisting was one of a number of security measures which should have been used to prevent the attacker from succeeding.
Currys PC World/Dixons Travel did not have an effective monitoring system
The ICO found that Currys PC World/Dixons Travel did not have an effective method of logging and monitoring to identify and respond to incidents promptly. This failure created a security risk and may have hindered the detection and investigation of the security incident.
Currys PC World/Dixons Travel POS software was outdated
The affected hosts were running versions of java many years out of date (eight years in the case of the affected POS terminal). The Commissioner believed this placed the POS terminals at increased risk of compromise.
Currys PC World/Dixons Travel POS system did not support Point to Point Encryption (P2Pe)
P2Pe protects payment card data from the point of capture, such as when the card is read by a card payment terminal, until it reaches the secure decryption endpoint. However, while P2Pe was being deployed at the time of attack (at a high cost to the business), it wasn’t in place.
The ICO accepted that the cost of P2Pe implementation was high but felt that this should be weighed against the level of harm that might result from unauthorised processing of personal data. In this case, the cost of implementation of P2Pe was proportionate to the size of the business, the nature and volume of personal data being processed by it, and the current standard of security at the time.
Currys PC World/Dixons Travel failed to effectively manage the security of its domain administrator account effectively
In another error, according to the ICO, Currys PC World/Dixons Travel failed to assess the addition of user accounts to the domain administrator group, and it did not adhere to its own policies in respect of access permissions and passwords.
Currys PC World/Dixons Travel failed to implement standard builds for all system components
Currys PC World/Dixons Travel failed to confirm with industry-standard hardening guidance which would have seen it apply standard builds for all system components. Had this been in place, this would have reduced likelihood of compromise.
Did Currys PC World/Dixons Travel get off lightly?
While the ICO’s fine of £500,000 was significant, this was later reduced to £250,000. What’s more, Currys PC World/Dixons Travel dodged a much bigger financial penalty. Because, had the attack happened now, the punishment would inevitably have been much higher under new data protection regulations (GDPR). And of course, victims of the Currys PC World/Dixons Travel data breach won’t get a penny. That’s because, while the ICO has the power to issue fines to organisations that breach the Data Protection Act, it doesn’t have any authority when it comes to compensating victims.
Making a Currys PC World/Dixons Travel data breach compensation claim
At Keller Postman UK, we believe that it’s important that people hold the retailer to account by making a Currys PC World/Dixons Travel data breach compensation claim. Not least because:
- This data breach left customers vulnerable to financial theft and identity fraud
- The careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud
- This is not the first time the company has failed to protect its customers’ data. In fact, there is a history of data negligence at the company. It’s essential to hold Currys PC World/Dixons Travel to account if data security is to improve.
In response, we have launched a group action to help people claim Currys PC World/Dixons Travel breach compensation. To become part of this group action, we need you to register with us. We can take on your claim on a no-win, no-fee basis, so you have nothing to lose.
